Wp-vcd malware is back attacking WordPress

WordPress sites are in danger of malware called wp-vcd, which is hidden in legitimate WordPress files and that is used to add a secret admin user and grant hackers control over infected sites. The malware was first spotted online this summer by Italian cybersecurity specialist Manuel D’Orso. The original version of the malware was loaded via an include call for the wp-vcd.php file and injected malicious code into WordPress core files such as functions.php and class.wp.php. Then this was not a massive campaign, but in the last months, the attacks continued and evolved.

Last week, Sucuri noticed a new version of this malware that injected malicious code inside the legitimate files of twentyfifteen and twentysixteen — the default themes that shipped with the WordPress CMS in 2015 and 2016, and which are still found on a large “[The] code is pretty straightforward and doesn’t hide its malicious intentions by encoding or obfuscation of functions,” Sucuri said.

Hackers are not interested in whether the topics are active or are not and used their files to hide malicious code. This code creates a secret new admin account called 100010010. The purpose of this backdoor account was to open a connection to infected sites so that hackers could carry out attacks later. According to Sucuri security researcher Denis Sinegubko, the wp-vcd malware is now preinstalled inside pirated WordPress premium themes offered for download for free on some sites known for providing nulled scripts, themes, and plugins for various CMS platforms.

wp-vcd used to inject spam on infected sites

Sinegubko says that since Sucuri saw a resurgence of the wp-vcd malware in late November, attackers have used wp-vcd backdoor accounts to insert spam on infected sites. Some of these spam messages also led users back to the websites offering the nulled themes, helping wp-vcd authors propagate their malware and expand their network of hacked sites. According to Sucuri, hackers use vulnerabilities in outdated plugins and threads to upload malware wp-cvd to vulnerable sites. Users will be safe if they use any basic web application firewall (WAF) that would have spotted and prevented the modification of core WordPress files. Some of the affected sites contained a malicious file called 'wp-vcd.php' inside wp-includes folder and the same was included in wp-includes/post.php and functions.php files.

In a few sites we looked at there was no file named wp-vcd.php or class.theme-modules.php, instead we found a piece of code written inside theme’s functions.phpfile.

The code seems to download a content from a malicious website (see the below screenshot) with varied top-level domains such as .xyz, .com,.cc, .me etc…Though .com, .cc & .me domains didn’t load, .xyz just displayed a strange creature with a message “That’s it! Come on over here! “. Have a look at the screenshot below.

The first thing to understand how to defeat an enemy is to understand it.

The cause of WP-VCD attack is a nulled theme or a nulled plugin. Inside the plugin installation file many times is present this directive:

Even with a Google Analytics embed. With a rapid search with Google we can see that the attack was effective on many websites. Some of them very recently. It goes without saying that both aotson.com and downloadfreethemes.download take advantage of the new domain privacy services to protect the identity of the registrants. Both use WhoisGuard by Cloudflare.

Conclusion

Although that’s not a particularly dangerous malware, extra care is needed to avoid to become victim of this kind of attacks even with an updated WordPress install. Keep a firewall with core files changes monitoring and always update themes. In our next article we will show you the actual cleanup of an infected site.